What Is a Passkey and How Do Passkeys Work?
There’s been a lot of buzz about a passwordless future lately, and it can’t come soon enough. Currently, cybercriminals have access to billions of compromised credentials on the dark web. And at this point, it’s safe to say that few of us haven’t had our passwords stolen in one data breach or another.
To solve this problem, the cybersecurity industry is making steady inroads toward passwordless authentication. Among those leading the charge is the FIDO (“Fast IDentity Online”) Alliance, which has been working on developing passwordless authentication standards. More recently, Apple announced its own passwordless authentication using passkeys, with Google not far behind.
Digital Shadows researchers have found 6.7 billion unique logins—combinations of usernames and passwords—on the dark web. This treasure trove of logins puts a lot of consumers at risk, especially considering how many people reuse their passwords. That’s why adopting passkey-based authentication is likely to become a fast-growing trend.
Let’s dive into what a passkey is and how it’s different from a password.
Want to learn more about using Dashlane Password Manager at home or at work?
Check out our personal password manager plans or get started with a free business trial.
What is a passkey?
Simply put, a passkey is a passwordless login. This new standard uses public-key cryptography to authenticate your access to websites and apps. Instead of you having to create a password for your account, you enable an “authenticator” to generate a passkey—a pair of related cryptographic keys. The authenticator can be your smartphone, another mobile device, or a password manager that supports passkeys.
The authenticator still requires some form of user verification. This could be through entering a master password or biometrics (Face ID or Touch ID), which adds both security and convenience. With biometric identification, you don’t have to remember a password for your authenticator. Biometrics are also more secure and convenient for users than entering a device or app password.
Your passkeys are stored securely in a vault, such as your device’s keychain or your password manager. Since they can sync across devices, they’re seamless and convenient to use, and the overall user experience with passkeys is an improvement over passwords.
How do passkeys work?
Your authenticator generates public and private keys during account registration or when you enable passkeys on accounts that support them. The service provider or website and your authenticator communicate directly by exchanging the keys.
The public key, which is sent to the web server for storage, has no value to a cyberattacker. Think of it as your username—it can’t do much without your password.
On the other hand, the private key must stay secret and is only stored on your device. When you try to log in, the server sends a challenge to the authenticator (some random data to prove you’re the one logging in). The private key solves the challenge and sends the response back, essentially “signing” that data with the private key.
The keys are mathematically related, which means that when the signed data is returned to the server, the server can verify it with the public key—but it doesn’t actually need to know what the key is to validate it.
Passkeys vs. passwords
In the process described above, no secrets are exchanged between the server and your authenticator. This is different from password-based authentication, where information about the secret password is exchanged to verify the password’s accuracy. And since they’re based on public-key cryptography, passkeys don’t rely on storing shared secrets on a server either.
These are just two reasons why passkeys are more secure than passwords. While no authentication method is completely foolproof, several other factors make passkeys more secure than passwords:
- They can’t be guessed or reused.
- They’re phishing-resistant. Because passkeys are unique to the app or website they’re created for, a malicious actor can’t trick you into using the passkey on a look-alike or fraudulent site.
- Since they’re only stored on your device, cybercriminals can’t steal your passkeys by hacking into the provider’s server or database.
Will passkeys replace passwords?
It will likely take a few years, but passkeys are expected to eventually replace passwords. Currently, only a few websites support passkeys, including PayPal, eBay, Microsoft, and Best Buy.
The FIDO Alliance has been working on passwordless authentication standards for some time. The most important development, however, came recently when the technology consortium announced it had proposed a method to store cryptographic keys so they can sync between devices. (In fact, FIDO calls passkeys multi-device FIDO credentials.) This paves the way for the wider adoption of passkeys.
When adoption goes mainstream, passkeys will bring a major shift in how you log in to your accounts—and a giant step toward keeping your data private.
Recently, Dashlane launched integrated passkey support, becoming the first in the industry to offer an in-browser passkey solution. This is a natural step toward further simplifying security for businesses and their people.
You’ll be able to log in across websites seamlessly with your Dashlane app, store your passkeys in Dashlane, and automatically log in to your accounts. And thanks to our patented zero-knowledge architecture, you benefit from yet another security layer because no one except you can access your logins (not even us).